[Servercert-wg] Ballot SC29v3: System Configuration Management

Neil Dunbar ndunbar at trustcorsystems.com
Wed Apr 15 04:37:17 MST 2020 

On 14/04/2020 19:21, Ryan Sleevi wrote:
>
>
> On Tue, Apr 14, 2020 at 9:49 AM Neil Dunbar via Servercert-wg 
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>
>     After lengthy discussions both on list and on the NetSec meeting,
>     the question about whether a CA approved source of
>     patches/software updates counts as a change managed process within
>     the text of the ballot. The conclusion to those discussions was
>     that it _does_ fall within the terms of this ballot. Note: it lies
>     entirely outside the remit of the NetSec committee to say whether
>     this is a good practice or a bad one - merely that it has the
>     criteria of approval and review as required. To that extent, the
>     ballot has been changed to explicitly require the change
>     management process results to be subject to review, rather than
>     "testing" per the previous wording.
>
> Just to make sure - that specific change (from previous versions) is 
> https://github.com/cabforum/documents/commit/aefc8ad1a106e40315ba01aa13ea00cb93363805 , 
> correct?
>
> I am concerned a bit with the above disclaimer, but may just be 
> confused, and so wanting to check my understanding and make sure we've 
> got the same conclusion :)

The github change is correct, yes.

I suspect that this reply will be a bit disappointing to you; the 
minutes of the fuller discussion can be found on: 
https://cabforum.org/pipermail/netsec/2020-April/000326.html

Apologies that those were not made available sooner, but (as you can 
see) it was a very ... spirited ... discussion which covered a lot of 
ground - I tried to capture everyone's viewpoint. The people on the call 
will be able to say whether or not I succeeded.

> Goal: Enabling automatic updates (i.e. directly via software), which 
> connects to a third-party (e.g. the OS or software vendor), without 
> requiring any human documentation or approval of the specific updates 
> being applied, is clearly and explicitly forbidden.
>
> Goal: Enabling automatic updates (i.e. directly via software), from a 
> CA-maintained list of approved updates, is fine. A CA process that 
> defines that they approve updates provided by the OS vendor, and 
> maintaining documentation to the effect of exactly what was approved 
> and installed, is also fine.
>
> Is that a correct understanding and conclusion?

I do not think that these are accurate statements of the principal goal 
of the ballot. The goal of the ballot was primarily to encourage CAs to 
move away from manual reviews of system configurations towards a 
continuous automated approach to reporting and reviewing and alerting 
upon of configuration changes, unless such changes were the anticipated 
results of an authorised modification via a change control process.

The discussion pointed to above does allow the notion of an automated 
update process *assuming* such a process has been clearly documented, 
it's approval clearly noted (by someone capable of knowing what this 
entails and properly authorised to make the determination) and the 
review process for when and how changes happen is also well documented. 
I presume that an auditor would want to know upon what basis the trust 
in such an automated approach was founded, but clearly I can't speak for 
any auditor.

Now - I (and others) have noted risks in the above process; but it seems 
to me that - according to the text of the ballot, as well as the intent 
of the team members discussing said ballot - that such a configuration 
is within the context of a change control process requiring 
documentation, approval and review (as specified in the text). I cannot 
say that I consider it a *good* change management process, but the 
ballot's corollary goal is to ensure that system modifications follow a 
defined change management process, without specifying what that process 
should be. We do not, for instance, state that the change control must 
follow ITIL specifications - although I know for a fact that some CAs do 
use ITIL as their change control process form.

> Specifically, I want to make sure that the view is not that the NCSSRs 
> permit treating the OS or software vendor as a Delegated Third Party, 
> where the OS vendor themselves are (effectively) tasked with 
> documentation, approval, and review of updates to the CA's systems. 
> The effect of allowing automatic updates is to effectively give 
> control of the system to the vendor, and there needs to be some CA 
> responsibility in ensuring the systems are in a defined and documented 
> state.
I still think that the CA is responsible for the representation and 
behaviour of the systems so managed: merely saying "Oh, Canonical put 
out a bad Ubuntu patch and that allowed system X to get owned" would not 
(to me) be an acceptable explanation. The CA is still responsible for 
knowing about, and taking responsibility for, any changes which occur on 
any of their systems, including ones which came from patching via 
sources from an externally curated repository.
> Given the discussion folks had, I want to make sure that no CA or 
> auditor will interpret this as allowing automatic updates. More 
> concretely, a statement "Running on a fully patched OS" would be bad, 
> while a statement "Running on this OS version, with patches X, Y, Z 
> applied" is good, in that it's always concretely defined the state of 
> the CA's system. It doesn't seem that "fully patched" can meet the 
> criteria of approval/review, but I'm hoping I'm not missing some of 
> the discussion.

I think that any CA would still be expected to say "the state of this 
system is base OS version aa.bb.cc, with the following list of patches 
applied: X, Y, Z" - some nebulous term like "fully patched" is clearly 
defined as a function of time (since patches appear from vendors at 
points not under the control of the CA), rather than as an iterative 
function of patching activity. The patch history remains entirely the 
responsibility of the CA to attest; a CA cannot just perform a current 
package list, hand that to an auditor and say "there you go" - the CA 
still has the responsibility of saying "Patch C on date X replaced Patch 
B on date Y which replaced Patch A which was deployed on date Z".

In conclusion, then, I think that the text of the ballot does allow 
automated updates from the vendor or mirror, but I think that the 
description of the change control process would need to be considerably 
more documented than a mere "we just patch when Red Hat pushes a patch".

Regards,

Neil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200415/99b41983/attachment.html>

More information about the Servercert-wg mailing list